You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Suspicious Hijackthis Log Entry

I downloaded a file this week that infected me with several viruses and malware. I keep thinking I have them wiped out until AVG starts popping up with infected files again or I reboot and MalwareCrush is back in the system tray. Below is my HiJackThis log which contains the following suspicious entry. I do not recgnize this DLL and cannot find anything about it online. Additionally, the 'Created Date' is about the time the infections began. Has anyone seen this file before? Do you see anything else in the log? Thanks!

Something you created? If you know what it is -- fine. I just don't recognize it so is suspect IMO.

Thanks

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware

Close all applications and windows.Double-click on dss.exe to run it, and follow the prompts.When the scan is complete, a text file will open - Main.txtCopy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.Please attach Extra.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, andcopy and paste the following into the "Upload File from your Computer" box:

C:\Deckard\System Scanner\Extra.txt

Click Upload.

What DSS will do:--create a new System Restore point in Windows XP and Vista.--clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.--check some important areas of your system and produce a report for your analyst to review. --System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Thanks

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware

This appears to have taken care of the MalWareCrush icon in my system tray, but AVG is still periodically popping up with threat alerts. I always get 2 simultaneously. One is a seemingly randomly-named executable in C:\Windows\Temp and the other is an HTML file. AVG names the threat "Trojan Horse Agent.NJG." Examples:

Please include URL to this thread so I know who those files belong to.

Possible BITS service is being used to download malware.

Thanks

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware

And that may make sense; something else I have noticed is that when Windows first boots (every time) I get the Windows Update "Downloading updates" icon in the system tray for a few seconds. I had never seen this until recently.

Those dat files are OK.
I kinda thought there would be some malicious URLs in them causing BITS to re-download malware.

I see you did use ComboFix recently though...
I'd like to see what it took out.

Can you post the log from it please?

C:\combofix.txt

If too big to post here -- zip & attach please.

Thanks

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware

Actually, I deleted all ComboFix files shorty after running it. Would it do any good to run it again and post the logs?

I am still struggling with this and am close to just reformatting my hard drive.

Yesterday the symptoms changed a little. It is now downloading .TMP files that SpyBot identifies as WIN32.Tiny.abk to C:/Windows/Temp on every boot. Since this started, my web browsing has been very slow and I have been unable to connect to other machines on my home network.

When I ran HiJackThis soon after booting, I noticed that C:\WINDOWS\system32\wuauclt.exe was listed as running process. When I opened the folder to look at the file properties, I saw that there is also an application named wuauclt1.exe that has the fancy windows update icon while wuauclt.exe has a generic .EXE icon. On other XP Pro machines, both programs have the fancy icon. This caused me to think that the file had been replaced by something, so i copied over all files matching the pattern C:\WINDOWS\system32\wu*.* from another machine. I then did a reboot and saw that wuauclt.exe was again replaced. I ran Windows Update, and it did an install of its own ActiveX controls which was a little weird since this was already installed, but that may have been because I was mucking with them. The only files it appears to have recopied (judging by the Date Created timestamp) are:

wuaucpl.cpl.muiwuaueng.dll.muiwucltui.dll.muiwups2.dll

Also, when i go to Start>All Programs, at the top of the list of programs, Windows Update (pointing to %SystemRoot%\system32\wupdmgr.exe) appears with the fancy icon, but Microsoft Update (pointing to C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\muweb.dll,LaunchMUSite) appears with the generic icon.

Make sure to perform the Recovery Console install please as an added safeguard.

Thanks

Blender

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware

I got a little eager and ran ComboFix before I remember to install the recovery console. Sorry. Here is the log:---------------------------------------------------------------------------------------------------------------------------------

I don't know if this is helpful or not, but by using an IP traffic monitor, I determined that the Win32.Tiny.abk files that are appearring in c:\Windows\Temp are being downloaded at boot up by services.exe. AVG, Spybot, and Adaware all say nothing is wrong with services.exe.

In the event you already have SDFix, please delete it as this is a new version I need you to download.

Double click SDFix.exe and it will extract the files to %systemdrive%(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode, then press Enter.

Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Let me know how system is running and if you can complete a virus scan.

Thanks

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware